SA-CONTRIB-2012-108 - Drag & Drop Gallery - Arbitrary PHP code execution [#1679444]

Upload.php:

- should check access
- should check target location is in the files directory
- should use file_munge_filename
- should use a token to prevent CSRF
- should escape nid before display (XSS)

there may be additional problems,

The module:

Should use placeholders in ALL queries.

There may be additional problems.

Comments

Comment #0.0

greggles

he/him

English

Denver, Colorado, USA

CreditAttribution: greggles commented 11 July 2012 at 15:47

Issue summary:

View changes

Update with actual content

Comment #1

drumm

he/him

NY, US

CreditAttribution: drumm at Drupal Association commented 18 December 2017 at 14:21

Issue summary:	View changes
Issue tags:		+Security

SA-CONTRIB-2012-108 - Drag & Drop Gallery - Arbitrary PHP code execution

Comments

Comment #0.0

Comment #1

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community